@workspacejson/codex-mcp
OfficialProvides OpenAI Codex with behavioral history from workspace.json, including file fragility and co-change partners, to inform editing decisions and prevent incomplete changes.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@@workspacejson/codex-mcpcheck context for src/routes/checkout.ts"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
@workspacejson/codex-mcp
An MCP server that gives OpenAI Codex the one thing it structurally cannot derive from the current source tree: behavioral history. It reads a local workspace.json and exposes, as Codex tools, which files are fragile (historically error-prone / high blast radius) and which files co-change (tend to be edited together).
Codex reads the same tree you do. What it can't see is that src/db/client.ts has been reverted three times, or that touching the checkout route almost always means touching the session module too. That history lives in workspace.json. This server hands it to Codex, and via the MCP instructions field, tells Codex to consult it before editing a file rather than only when asked.
At runtime, the server operates locally over stdio and does not upload repository contents. Initial package installation may contact npm.
See it in 30 seconds
Task: Update the checkout route.
Without workspace.json: Codex proposes one file.
With workspace.json: the hook identifies two evidenced partners and blocks the incomplete patch.
Result: Codex revises the changeset before the edit lands.
Related MCP server: mcp-edit-math
Install & wire into Codex
Option 1: MCP context only
Add the MCP server to Codex (~/.codex/config.toml global or .codex/config.toml project-scoped):
[mcp_servers.workspacejson]
command = "npx"
args = ["-y", "@workspacejson/codex-mcp"]
# Optional: point at a specific file or search root.
# env = { WORKSPACE_JSON_PATH = "/abs/path/.agents/workspace.json" }Restart Codex, then run /mcp in the TUI to confirm the server is connected. The server ships standing guidance in its MCP instructions; you can reinforce it in AGENTS.md:
Before editing or creating a file, call workspace_get_file_context on the target
path to check fragility and co-change partners.Option 2: Full Codex plugin — MCP + deterministic hook
For deterministic enforcement, install the plugin manifest and its PreToolUse hook. The npm package includes the plugin manifest under .codex-plugin/plugin.json and the hook under hooks/hooks.json.
Point Codex's plugin loader at the manifest inside the installed package, or copy the plugin directory into your Codex plugins path:
# Example: copy bundled plugin assets into a Codex plugin directory
cp -r node_modules/@workspacejson/codex-mcp/.codex-plugin ~/.codex/plugins/workspace-json
cp -r node_modules/@workspacejson/codex-mcp/hooks ~/.codex/plugins/workspace-json/
cp node_modules/@workspacejson/codex-mcp/.mcp.json ~/.codex/plugins/workspace-json/The exact Codex plugin path depends on your Codex version and platform; the plugin manifest (plugin.json) references ./hooks/hooks.json and ./.mcp.json relative to the plugin root. The hook in hooks/pre-edit-check.mjs is the same file used for repo-native fallback and CI.
Evidence tiers (the part that is different)
Every fragility signal carries a tier, derived mechanically by this package from the evidence attached to it. Producers (humans, tools, agents) record evidence; they never record a tier or a confidence value, and any such field in the artifact is ignored and re-derived:
Tier | Meaning | Derivation |
| Claimed, no evidence recorded | zero evidence records |
| Something was seen and written down | at least one evidence record ( |
| A green we watched | at least one evidence triple whose read-only command was re-run locally and reproduced its recorded output ( |
Tier drives enforcement strength, mechanically: an evidenced-fragile file whose recorded co-change partners are absent from the changeset is denied; evidenced fragility with partners covered warns; ASSERTED fragility only annotates. And deliberately: this system can justify a block or a warning, but it structurally never emits a safety approval. Absence of recorded risk is reported as absence, never as "safe" — the evidence class that would certify safety is exactly the class that cannot be verified by read-only re-run.
Hooks (deterministic enforcement)
hooks/pre-edit-check.mjs is a PreToolUse hook for Codex's apply_patch: it parses the touched paths from the patch, assesses the whole changeset, and denies or warns before the edit lands. It is also the repo-native fallback and CI consumer:
git diff --name-only | node hooks/pre-edit-check.mjs --paths-stdin
node hooks/pre-edit-check.mjs --paths src/routes/checkout.tsThe hook fails open on missing/unparseable input (no workspace.json means no opinion, never a fabricated block) and never crashes the edit loop. A block is triggered by an evidenced partner omission: a co-change relationship recorded in workspace.json is absent from the proposed patch. It does not mean the partner is universally required for every semantic change.
Tools
All are read-only and operate on the local workspace.json.
workspace_get_file_context(path)— the primary call. Returns fragility (with reason/score/evidence when present) and co-change partners for one file. Call it before editing. Returnsfragile:falsewith an empty partner list when a file has no recorded history: that means no recorded risk, not verified safe. The system never issues a safety approval; it only reports whether the evidence it holds supports a concern.workspace_get_cochange_partners(path)— the files that historically change with this one. Call it after an edit to catch related updates.workspace_list_fragile_files(limit?)— all fragile files, most fragile first. Orientation at the start of a task.workspace_assess_change(paths[])— evaluate a whole changeset; returns the mechanicaldeny/warn/annotate/nonedecision with per-file assessments. The MCP twin of the hook.
The workspace.json shape it reads
This server reads a tolerant superset of the workspace.json standard. The fields consumed:
Field | Used for |
| fragility signal (accepts |
| co-change groups (accepts |
| whether a queried path is indexed |
| framework context |
Provenance note: the normalizer in
src/services/workspace.tsis the single place that touches raw file shape. Field names above track the standard'sv0.xline; if the canonical schema in@workspacejson/specdiffers, adjust the normalizer only. The rest of the server depends on the normalized model insrc/types.ts, never the raw file.
Develop
npm install
npm run build # tsc, strict
npm run smoke # spawns the server over stdio and drives it via a real MCP clientThe smoke test (scripts/smoke.mjs) exercises the protocol end to end: initialize, tools/list, and tool calls including the two cases a lazy implementation gets wrong — absolute-vs-relative path matching and unknown-file (which must return empty, never a fabricated match).
For the OpenAI Build Week submission
This project was built during OpenAI Build Week as a new Codex integration for the open
workspace.jsonstandard. Theworkspace.jsonstandard and its generator (@workspacejson/cli) are pre-existing open-source work, used here as a dependency the same way any participant could depend on it. The Build Week contribution is@workspacejson/codex-mcp: the MCP server, its tool surface, and the proactive-check wiring through Codex'sinstructionsfield, all authored in-window and contained in this repository.
Verification status (honest tiers on our own claims)
VERIFIED (smoke suite drives the built server over stdio and the hook via stdin, 24 checks): protocol handshake and instructions, all four tools, tier derivation for ASSERTED/OBSERVED, the deny/warn/none enforcement matrix, evidence citation in deny reasons, META-102 exact-first path matching with absolute-path fallback and fuzzy-match rejection, root-marker upward walk from a nested cwd, hook exit codes and JSON emission, fail-open on garbage input.
VERIFIED on real Codex 0.144.1 (2026-07-13): the installed plugin manifest loaded its PreToolUse hook; hookSpecificOutput.permissionDecision: "deny" plus exit code 2 blocked apply_patch under WJSON_DENY_ALL=1; unsetting it allowed a normal edit; the fixture denied a checkout-only edit with the recorded revert d4e5f6 evidence and missing partners; and a single patch covering checkout, session, and format surfaced cautionary context and proceeded. The output contract and manifest remain isolated to single adapter points (emitDecision() in the hook; .codex-plugin/plugin.json).
Current limitations
Enforcement currently covers Codex
apply_patch.Other edit mechanisms may receive context without deterministic blocking.
Missing or malformed
workspace.jsonfails open.Stale evidence is not treated as proof of current risk.
fragile:falsemeans the file has no recorded fragility, not that it is verified safe.This does not replace tests, review, or repository instructions.
License
Apache-2.0
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/workspace-json/codex-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server